This specification generally relates to software release management.
Managing license obligations across the myriad of components being leveraged in modern software development can be a complex process. Some development processes involve continuous integration/continuous distribution (“CI/CD”), where developers merge working copies to a shared mainline frequently, and push updates constantly at a rapid pace. A large application program may use thousands of libraries or other third-party copyrighted material. For example, some libraries may be open source software (“OSS”) libraries governed by one or more of many OSS licenses while others are proprietary. Libraries may be inter-dependent and each can have their own dependencies.
Conventionally, license compliance requires close involvement of product managers (PMs) of individual product, engineering, and legal teams. Such tasks usually require a complete assessment of a release's dependencies, and therefore typically are performed just before major releases, after development has finished or almost finished. The tasks can be time consuming, requiring a company to lock the software for weeks or months for legal review to complete before any given release. The conventional license compliance process may not be possible where software pushes occur frequently as in CI/CD. A small change in the push that adds or removes a few lines of code may add or remove multiple branches in a dependency tree, requiring the entire license compliance analysis to be performed anew.